Nafeez

@skeptic_fx

Your opinions matter a lot.

San Jose, CA
blog.skepticfx.com
Joined January 2011
30 Photos and videos Photos and videos

Tweets

You blocked @skeptic_fx

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @skeptic_fx

  1. Retweeted
    Jun 3

    Reminder: if you learned something valuable from a person, whether a talk they gave, a blog, or just stalking their twitter: let them know

    23 replies 422 retweets 1,009 likes
  2. May 31

    So much used to reading minified JS code, dong nasty stuff with postmessage. ;)

    3 likes
  3. May 2

    The force is really strong towards a TypeScript future.

    1 retweet 1 like
  4. Retweeted
    Apr 27

    By using a specially crafted input, it is possible under the right conditions to trick Imagemagick in to processing images, rather than | sh

    2 replies 78 retweets 141 likes
  5. Retweeted
    Mar 23

    🚫

    204 replies 5,255 retweets 6,486 likes
  6. Mar 1

    The Atom text editor has improved a lot from its early beta days. Its stable and is almost replacing IntelliJ for me. Try material-ui theme.

    1 reply 1 retweet 2 likes
  7. Retweeted
    Feb 23

    It's not that C is hard. It's that paper cuts won't stop bleeding. Small mistakes are hard to find and test for.

    1 reply 2 retweets 8 likes
  8. Retweeted
    Jan 27

    The secret goal of CSP is to become so complicated that people give up and just fix their apps' XSS problems the right way.

    2 replies 25 retweets 71 likes
  9. Jan 8

    They killed CSP Whitelists and are now back to hacking around content exfiltration attacks. Happy New Year 2012.

    1 like
  10. Retweeted
    23 Dec 2016

    Bypassing CSP script nonces via the browser cache: . Nonces are incompatible with most caching mechanisms.

    2 replies 83 retweets 106 likes
  11. 27 Sep 2016

    Everyone should read this article and understand the transitive trust that strict-dynamic introduces: Its a gem!

    3 retweets 8 likes
  12. 27 Sep 2016

    Why call it Strict-CSP when it cannot prevent most kinds of DOM XSS?

    1 like
  13. 26 Sep 2016

    With its transitive trust model -Its wrongly named and is an example of why we make it hard for security engineers. Devs get a false hope.

    1 like
  14. 26 Sep 2016

    CSP 'strict-dynamic' is a nightmare if your app is modern and has too much of DOM manipulation.

    1 like
  15. Retweeted
    26 Aug 2016

    More password manager bugs out today and more due out soon. I'm not going to look at more, the whole industry is crazy, you're on your own.

    44 replies 472 retweets 621 likes
  16. 24 Aug 2016

    Hookish! now has some experimental Javascript static analyzer for security. Just right click and scan all JS files.

    14 retweets 31 likes
  17. Retweeted
    5 Aug 2016

    She sells C shells by the back door. The shells she sells are C shells for sure.

    4 replies 280 retweets 383 likes
  18. Retweeted
    25 May 2016

    wrote a thing about visiting Chelsea Manning in prison at Fort Leavenworth:

    34 replies 544 retweets 644 likes
  19. 25 Jul 2016

    DomStorm : jQuery UI .dialog() closeText property XSS .

    2 retweets 2 likes
  20. 13 Jul 2016

    Any idea how to pass variables to template strings when $, (, ), = are blocked? alert`dynamic_var_here`

    2 replies 1 like

@skeptic_fx hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·